A team of security experts from the University of California, Riverside (UCR), disclosed the new attack last week in a paper published on Arxiv (.PDF), documenting their findings on the new exploit method.

The technique relies on speculative execution, which is a feature found in many modern CPUs in order to optimize computer performance.

As there is disparity between the potential speed of modern CPUs and memory, speculative execution occurs to keep efficiency at peak levels, but in order to do so, the CPU is employed with running batch instructions.

Once instructions are underway, the CPU does not always check whether or not memory accesses from cache are accessing privileged memory. It is this window of time that can be exploited.

According to the researchers, SpectreRSB takes a slight detour from other, similar attacks. Rather than exploit the branch predictor units of CPUs or CPU cache components, SpectreRSB exploits the Return Stack Buffer (RSB).

The researchers created proof-of-concept (PoC) attacks which can compromise the RSB's usual functions -- the prediction of return addresses of an operation the CPU is trying to complete in advance of instructions, a method used to boost CPU efficiency in modern processors.

The team says they were able to poison this routine, resulting in either mistraining of the branch predictor unit or directly polluting it to force the speculative execution of code. This, in turn, may result in the exposure of the full memory of other processes and hypervisors.

In total, three attacks have been described in the paper. The first and second show how the RSB can be manipulated by user code to alter stacks and return address matching, resulting in information leaks. As the RSB is shared among hardware threads that execute on the same virtual processor, such attacks can cause inter-process or even inter-VM pollution of the RSB.

The third attack relates to Intel Software Guard eXtension (SGX) compartments where malicious OSs can pollute the RSB to "cause a misspeculation that exposes data outside an SGX compartment."

"This attack bypasses all software and microcode patches on our SGX machine," the team says. "We believe that SpectreRSB is as a dangerous speculation attack, that in some instances is not mitigated by the primary defenses against Spectre."

The results were reported to Intel, and while attacks have not been demonstrated against AMD or ARM, the academics also reported their findings to these vendors as "they also use RSBs to predict return addresses."

The security researchers say that "none of the known defenses including Retpoline and Intel's microcode patches stop all SpectreRSB attacks," however, there is the belief that some of the issues may be mitigated.

This does not mean that the report should not be taken seriously, but on its own, it may not require a new slew of security patches.

"SpectreRSB is related to Branch Target Injection (CVE-2017-5715), and we expect that the exploits described in this paper are mitigated in the same manner," an Intel spokesperson told The Register. "We have already published guidance for developers in the whitepaper, Speculative Execution Side Channel Mitigations. We are thankful for the ongoing work of the research community as we collectively work to help protect customers."

Dubbed Spectre 1.1 and Spectre 1.2, the former utilizes speculative data stores to create speculative buffer overflows which can bypass original Spectre mitigations, while the latter is able to compromise CPUs which do not enforce read/write protection.

Intel paid Kiriansky $100,000 for the findings.

Update 10.57 GMT: An AMD spokespersons said:

"AMD is aware of a new research paper on processor speculation and a proposed vulnerability in the return stack buffer. AMD believes its recommended Indirect Branch Prediction Barrier (IBPB) setting mitigates against the described vulnerability.

As stated in this AMD Whitepaper, when IBPB is set in software for context switching, the processor enforces that older indirect branches cannot influence predictions of indirect branches in the future, we believe thereby effectively mitigating against the described vulnerability."

Thank You

By registering you become a member of the CBS Interactive family of sites and you have read and agree to the Terms of Use, Privacy Policy and Video Services Policy. You agree to receive updates, alerts and promotions from CBS and that CBS may share information about you with our marketing partners so that they may contact you by email or otherwise about their products or services.
You will also receive a complimentary subscription to the ZDNet's Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.